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rhe  National  Institute  of  Standards  and  Technology^  was  established  by  an  act  of  Congress  on  March  3, 
1901.  The  Institute's  overall  goal  is  to  strengthen  and  advance  the  Nation's  science  and  technology  and 
facilitate  their  effective  application  for  public  benefit  To  this  end,  the  Institute  conducts  research  to  assure  interna- 
tional competitiveness  and  leadership  of  U.S.  industry,  science  and  technology.  NIST  work  involves  development 
and  transfer  of  measurements,  standards  and  related  science  and  technology,  in  support  of  continually  improving 
U.S.  productivity,  product  quality  and  reliability,  innovation  and  underlying  science  and  engineering.  The  Institute's 
technical  work  is  performed  by  the  National  Measurement  Laboratory,  the  National  Engineering  Laboratory,  the 
National  Computer  Systems  Laboratory,  and  tJie  Institute  for  Materials  Science  and  Engineering. 

The  National  Measurement  Laboratory 


Provides  the  national  system  of  physical  and  chemical  measurement; 
coordinates  the  system  with  measurement  systems  of  other  nations 
and  furnishes  essential  services  leading  to  accurate  and  uniform 
physical  and  chemical  measurement  throughout  the  Nation's  scientific 
community,  industry,  and  commerce;  provides  advisory  and  research 
services  to  other  Government  agencies;  conducts  physical  and  chemical 
research;  develops,  produces,  and  distributes  Standard  Reference 
Materials;  provides  calibration  services;  and  manages  the  National 
Standard  Reference  Data  System.  The  Laboratory  consists  of  the 
following  centers: 

The  National  Engineering  Laboratory 

Provides  technology  and  technical  services  to  the  public  and  private 
sectors  to  address  national  needs  and  to  solve  national  problems; 
conducts  research  in  engineering  and  applied  science  in  support  of  these 
efforts;  builds  and  maintains  competence  in  the  necessary  disciplines 
required  to  carry  out  this  research  and  technical  service;  develops  engi- 
neering data  and  measurement  capabilities;  provides  engineering  measure- 
ment traceability  services;  develops  test  methods  and  proposes  engi- 
neering standards  and  code  changes;  develops  and  proposes  new 
engineering  practices;  and  develops  and  improves  mechanisms  to 
transfer  results  of  its  research  to  tiie  ultimate  user.  The  Laboratory 
consists  of  the  following  centers: 

The  National  Computer  Systems  Laboratory 


Basic  Standards^ 
Radiation  Research 
Chemical  Physics 
Analytical  Chemistry 


Computing  and  Applied 
Mathematics 

Electronics  and  Electrical 
Engineering^ 

Manufacturing  Engineering 
Building  Technology 
Fire  Research 
Chemical  Engineering^ 


Conducts  research  and  provides  scientific  and  technical  services  to  aid 
Federal  agencies  in  the  selection,  acquisition,  application,  and  use  of 
computer  technology  to  improve  effectiveness  and  economy  in  Govern- 
ment operations  in  accordance  with  Public  Law  89-306  (40  U.S.C.  759), 
relevant  Executive  Orders,  and  other  directives;  carries  out  this  mission 
by  managing  the  Federal  Information  Processing  Standards  Program, 
developing  Federal  ADP  standards  guidelines,  and  managing  Federal 
participation  in  ADP  voluntary  standardization  activities;  provides  scien- 
tific and  technological  advisory  services  and  assistance  to  Federal 
agencies;  and  provides  the  technical  foundation  for  computer-related 
policies  of  the  Federal  Government  The  Laboratory  consists  of  the 
following  divisions: 

The  Institute  for  Materials  Science  and  Engineering 


Information  Systems 
Engineering 
Systems  and  Software 
Technology 
Computer  Security 
Systems  and  Network 
Architecture 
Advanced  Systems 


Conducts  research  and  provides  measurements,  data,  standards,  refer- 
ence materials,  quantitative  understanding  and  other  technical  informa- 
tion fundamental  to  the  processing,  structure,  properties  and  perfor- 
mance of  materials;  addresses  the  scientific  basis  for  new  advanced 
materials  technologies;  plans  research  around  cross-cutting  scientific 
themes  such  as  nondestructive  evaluation  and  phase  diagram  develop- 
ment; oversees  Institute-wide  technical  programs  in  nuclear  reactor 
radiation  research  and  nondestructive  evaluation;  and  broadly  dissem- 
inates generic  technical  information  resulting  from  its  programs.  The 
Institute  consists  of  the  following  divisions: 


Ceramics 

Fracture  and  Deformation^ 

Polymers 

Metallurgy 

Reactor  Radiation 


'Headquarters  and  Laboratories  at  Gaithersburg,  M D,  unless  otherwise  noted;  mailing  address 
Gaithersburg,  MD  20899. 

%ome  divisions  within  the  center  are  located  at  Boulder,  CO  80303. 
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EXECUTIVE  SUMMARY 


The  Computer  Security  Act  of  1987,  P.L.  100-235,  was  enacted  to  improve  the  security  and 
privacy  of  sensitive  information  in  Federal  computer  systems.  As  one  way  of  meeting  that  goal, 
the  law  requires  that  "each  agency  shall  provide  for  the  mandatory  periodic  training  in  computer 
security  awareness  and  accepted  computer  practices  of  all  employees  who  are  involved  with  the 
management,  use,  or  operation  of  each  federal  computer  system  within  or  under  the  supervision  of 
that  agency." 

The  National  Institute  of  Standards  and  Technology  (NIST)  is  responsible  for  developing 
standards,  providing  technical  assistance,  and  conducting  research  for  computers  and  related  systems. 
These  activities  provide  technical  support  to  government  and  industry  in  the  effective,  safe,  and 
economical  use  of  computers.  With  the  passage  of  P.L.  100-235,  NIST's  activities  also  include  the 
development  of  standards  and  guidelines  needed  to  assure  the  cost-effective  security  and  privacy  of 
information  in  Federal  computer  systems. 

In  fulfilling  this  responsibility,  NIST  has  developed  this  document  to  provide  a  framework 
for  identifying  computer  security  training  requirements  for  a  diversity  of  audiences  who  should 
receive  some  form  of  computer  security  training.  It  focuses  on  learning  objectives  based  upon  the 
extent  to  which  computer  security  knowledge  is  required  by  an  individual  as  it  applies  to  his  or  her 
job  function. 

These  guidelines  divide  employees  involved  in  the  management,  operation,  and  use  of 
computer  systems  into  five  audience  categories: 

0  Executives 

0  Program/Functional  Managers 

0  IRM,  Security,  and  Audit  Personnel 

0  ADP  Management,  Operations,  and  Programming  Staff 

o  End  Users 

These  guidelines  identify  five  training  content,  or  subject  matter,  areas.  The  level  of 
training  required  in  each  area  will  vary  from  general  awareness  training  to  specific  courses  in  such 
areas  as  contingency  planning,  depending  upon  the  training  objectives  established  by  the  agency. 
The  five  areas  are: 

0  Computer  Security  Basics 

0  Security  Planning  and  Management 

0  Computer  Security  Policies  and  Procedures 

0  Contingency  Planning 

0  Systems  Life  Cycle  Management 

The  actual  selection  of  the  computer  security  training  will  depend  upon  the  specific  security 
responsibilities  involving  duties  assigned  to  individual  personnel. 

This  document  is  intended  to  be  used  by  agencies  as  guidance  in  developing,  acquiring, 
evaluating  or  selecting  training  courses  in  computer  security. 
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INTRODUCTION 


PURPOSE  AND  SCOPE 

The  Computer  Security  Act  of  1987  (P.L.  100-235)  was  passed  because  "improving  the 
security  and  privacy  of  sensitive  information  in  Federal  computer  systems  is  in  the  public  interest..." 
The  law  assigns  to  the  National  Institute  of  Standards  and  Technology  the  responsibility  for 
developing  guidelines  for  the  training  of  employees  who  process  sensitive  information.  The  law 
further  states  that  "Each  agency  shall  provide  for  the  mandatory  periodic  training  in  computer 
security  awareness  and  accepted  computer  practices  of  all  employees  who  are  involved  with  the 
management,  use,  or  operation  of  each  Federal  computer  system  within  or  under  the  supervision  of 
that  agency." 

This  guideline  provides  a  framework  for  determining  the  training  needs  of  employees 
involved  with  computer  systems.  It  describes  the  learning  objectives  of  agency  computer  security 
training  programs.  A  focus  on  learning  objectives  -  what  the  employee  should  know  and  be  able 
to  direct  or  actually  perform  ~  is  a  generic  way  to  write  the  guidelines  so  that  agencies  may  use 
the  guidance  in  developing,  acquiring,  evaluating,  and  selecting  training  courses  in  computer 
security  that  fit  t'r.e  agency  environment.  This  approach  also  allows  agencies  to  state  clearly  the 
purpose  of  the  training  so  that  effectiveness  can  be  measured  by  determining  how  many  of  the 
learning  objectives  have  been  met. 

The  training  outlined  in  these  guidelines  should  be  incorporated  as  much  as  possible  into 
existing  training  programs  rather  than  as  a  separate  training  program.  For  example,  security 
awareness  training  could  be  included  in  orientation  programs  for  new  employees.  All  training 
courses  involved  with  automated  information  systems  equipment  and  software  packages  could 
include  modules  on  computer  security  responsibilities.  As  training  for  managers  and  supervisors  is 
redesigned,  it  could  include  modules  on  computer  security  in  the  area  of  planning  and  management, 
policy  and  procedures,  contingency  planning  and  systems  life  cycle  management. 

The  guidance  contained  in  this  document  applies  to  managers,  operators,  and  users  of  all 
agency  computer  systems,  both  large  and  small.  The  basic  principles  of  computer  security  apply  to 
office  information  systems  and  personal  computers  as  well  as  medium  to  large  mainframe  systems. 


USING  THE  GUIDELINES 

The  law  requires  that  employees  responsible  for  the  management,  operation,  and  use  of 
computer  systems  receive  training  in  computer  security  awareness  and  acceptable  computer 
practices.  This  guide  divides  these  employees  into  five  audience  categories: 

0  Executives 

0  Program/Functional  Managers 

0  IRM,  Security,  and  Audit  Personnel 

o  ADP  Management,  Operations,  and  Programming  Staff 

o  End  Users 

The  groupings  are  based  on  the  fact  that  employees  within  a  given  category  generally  need 
to  know  or  be  able  to  perform  the  same  or  similar  types  of  tasks.  But  this  does  not  mean  that 
every  employee  in  the  group  must  be  trained  to  do  all  the  tasks.   Agencies  will  determine  specific 
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training  needs  to  assure  that  each  employee  receives  the  appropriate  training. 

In  addition  to  the  audience  categories  discussed  above,  this  guide  also  identifies  five  training 
content  areas  (e.g.,  computer  security  basics,  security  planning  and  management)  and  assumes  that 
each  audience  category  requires  some  level  of  training  in  each  of  the  five  training  areas.  For 
example,  (refer  to  the  Training  Matrix),  Program  Managers  and  End  Users  (two  different  audience 
categories)  both  need  training  in  security  planning  and  management,  a  single  training  area. 
However,  Program  Managers  usually  have  direct  responsibility  for  the  planning  for  and  management 
of  security  in  the  computer  systems  that  support  their  program  areas,  while  end  users  typically  need 
only  be  aware  of  security  planning  and  management  activities.  Thus,  the  level  of  training  for 
Program  Managers  and  End  Users  in  the  security  planning  and  management  area  is  Implementation 
and  Basic,  respectively.  There  may  be  situations  where  employees  require  knowledge  only  in  some 
of  the  training  subject  areas.  In  these  cases,  the  agency  will  design  a  training  program  by  selecting 
those  topics  that  provide  the  employees  with  the  skills  at  the  level  appropriate  to  their  current 
position.  Many  employees  may  fall  into  more  than  one  audience  category  because  they  will  be 
End  Users  and  something  else  (e.g..  Program  Manager).  These  employees  should  receive  both 
types  of  training. 


DOCUMENT  OVERVIEW 

There  are  five  training  content,  or  subject  matter,  areas: 

0  Computer  Security  Basics 

0  Security  Planning  &  Management 

0  Computer  Security  Policy  and  Procedures 

'  '  o  Contingency  Planning 

0  Systems  Life  Cycle  Management 

Each  of  these  is  explained  under  "Training  Content  Areas"  section  of  this  document. 

There  are  four  training  levels: 

o  Awareness 

0  Policy 

o  Implementation 

o  Performance 


The  level  of  training  required  in  each  area  will  vary  from  general  awareness  training  to 
specific  courses  in  such  areas  as  contingency  planning,  depending  upon  the  training  objectives 
established  by  the  agency.  The  learning  objectives  at  the  appropriate  training  level  for  the  audience 
are  listed  for  each  training  content  area.  Different  audiences  may  be  expected  to  reach  the  same 
training  level  but  the  leaming  objectives  may  be  different.  For  example.  Program  and  Functional 
Managers  and  ADP  Management  personnel  are  both  to  be  trained  to  the  Performance  level  in 
Contingency  Planning.  Functional  Managers  must  be  able  to  identify  critical  workload,  establish 
priorities,  and  assure  the  adequacy  of  contingency  plans  relating  to  the  safety  and  availability  of 
data  supporting  their  function.  The  managers  of  ADP  facilities  must  assume  primary  responsibility 
for  developing  emergency  response  plans,  and  backup  and  recovery  plans  for  DP-supported 
functions  which  meet  the  requirements  of  the  Program  or  Functional  Managers.  Thus,  while  each 
has  implementation  responsibilities  in  contingency  planning,  the  leaming  objectives  would  be 
different  due  to  the  differences  in  the  way  they  implement  contingency  planning  in  their  job 
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functions. 


To  use  these  guidelines,  an  agency  should,  for  each  audience  category,  design  training 
which  meets  the  learning  objectives  for  that  group.  As  an  example,  executives    should  receive 
awareness  level  training  in  computer  security  basics,  and  policy  level  training  in  security  planning 
and  managing.  The  TRAINING  MATRIX  included  in  this  document  can  assist  agencies  in 
making  these  decisions. 


CROSS  REFERENCES  TO  EXISTING  PUBLICATIONS 

These  guidelines  provide  a  listing  which  cross-references  the  training  content  areas  to  some 
of  the  existing  publications  which  course  developers  and  agency  training  officers  may  find  useful  in 
obtaining  information  and  guidance  in  each  topical  area.  Among  the  references  are  publications 
developed  by  the  National  Institute  of  Standards  and  Technology  in  its  role  to  improve  the 
utilization  and  management  of  computers  and  automatic  data  processing  in  the  Federal  Government. 
Also  included  are  applicable  Office  of  Management  and  Budget  (0MB)  requirements,  Federal  laws, 
and  results  of  studies  on  computer  crime  conducted  by  the  Department  of  Justice. 


AUDIENCE  CATEGORIES 

Employees  involved  in  the  management,  operation,  and  use  of  computer  systems  are  divided 
into  five  audience  categories: 


Executives  are  those  senior  managers  who  are  responsible  for  setting  agency  computer  security 
policy,  assigning  responsibility  for  implementing  the  policy,  determining  acceptable  levels  of  risk, 
and  providing  the  resources  and  support  for  the  computer  security  program. 


Program  and  Functional  Managers  are  those  managers  and  supervisors  who  have  a  program  or 
functional  responsibility  (not  in  the  area  of  computer  security)  within  the  agency.  They  have 
primary  responsibility  for  the  security  of  their  data.  This  means  that  they  designate  the  sensitivity 
and  criticaUty  of  data  and  processes,  assess  the  risks  to  those  data,  and  identify  security 
requirements  to  the  supporting  data  processing  organization,  physical  security  staff,  physical 
facilities  persormel,  and  users  of  their  data.  Functional  Managers  are  responsible  for  assuring  the 
adequacy  of  aU  contingency  plans  relating  to  the  safety  and  continuing  availability  of  their  data. 


IRM,  Security,  and  Audit  Personnel  are  all  involved  with  the  daily  management  of  the  agency's 
information  resources,  including  the  accuracy,  availability,  and  safety  of  these  resources.  Each 
agency  assigns  responsibility  somewhat  differently  but  as  a  group  these  persons  issue  procedures, 
guidelines,  and  standards  to  implement  the  agency's  policy  for  information  security,  and  to  monitor 
its  effectiveness  and  efficiency.  They  provide  technical  assistance  to  users,  functional  managers, 
and  to  the  data  processing  organization  in  such  areas  as  risk  assessment  and  available  security 
products  and  technologies.  They  review  and  evaluate  the  functional  and  program  groups' 
performance  in  information  security. 
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ADP  Management,  Operations,  and  Programming  Staff  are  all  involved  with  the  daily  management 
and  operations  of  the  automated  data  processing  services.  They  provide  for  tlie  protection  of  data 
in  their  custody  and  identify  to  the  data  owners  what  those  security  measures  are.  This  group 
includes  such  diverse  positions  as  computer  operators,  schedulers,  tape  librarians,  data  base 
administrators,  and  systems  and  applications  programmers.  They  provide  ttie  technical  expertise  for 
implementing  security-related  controls  within  the  automated  environment.  They  have  primary 
responsibility  for  all  aspects  of  contingency  planning. 

End  Users  are  any  employees  who  have  access  to  an  agency  computer  system  that  processes 
sensitive  information.  This  is  the  largest  and  most  heterogenous  group  of  employees.  It  consists  of 
everyone  from  the  executive  who  has  a  PC  with  sensitive  information  to  data  entry  clerks. 


TRAINING  CONTENT  AREAS 


There  are  five  training  content,  or  subject  matter,  areas.  The  actual  selection  of  the 
computer  security  training  will  depend  upon  the  specific  security  responsibilities  involving  duties 
assigned  to  individual  personnel.  The  five  areas  are: 

Computer  Security  Basics  is  the  introduction  to  the  basic  concepts  behind  computer  security 
practices  and  the  importance  of  the  need  to  protect  the  information  from  vulnerabilities  to  known 
threats. 

Security  Planning  and  Management  is  concerned  with  risk  analysis,  the  determination  of  security 
requirements,  security  training  and  internal  agency  organization  to  carry  out  the  computer  security 
function. 

Computer  Security  Policies  and  Procedures  looks  at  government-wide  and  agency-specific  security 
practices  in  the  areas  of  physical,  personnel,  software,  communications,  data,  and  administrative 
security. 

Contingency  Planning  covers  the  concepts  of  all  aspects  of  contingency  planning,  including 
emergency  response  plans,  backup  plans  and  recovery  plans.  It  identifies  the  roles  and 
responsibilities  of  all  the  players  involved. 

Systems  Life  Cycle  Management  discusses  how  security  is  addressed  during  each  phase  of  a 
systems  life  cycle  (e.g.,  system  design,  development,  test  and  evaluation,  implementation  and 
maintenance).  It  addresses  procurement,  certification,  and  accreditation. 


TRAINING  LEVELS 


The  level  of  training  required  in  each  training,  or  subject  matter,  area  will  vary  from 
general  awareness  training  to  specific  courses  in  such  areas  as  Contingency  Planning,  depending 
upon  the  training  objectives  established  by  the  agency.  Note  that  not  every  training  level  is  needed 
for  a  given  audience  category  or  for  a  given  content  area. 

Awareness  training  creates  the  sensitivity  to  threats  and  vulnerabilities  and  the  recognition  of  the 
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need  to  protect  data,  information,  and  the  means  of  processing  them. 

Policy  level  training  provides  the  ability  to  understand  computer  security  principles  so  that 
executives  can  make  informed  poUcy  decisions  about  computer  and  information  security  programs. 

Implementation  level  training  provides  the  ability  to  recognize  and  assess  the  threats  and 
vulnerabilities  to  automated  information  resources  so  that  the  responsible  managers  can  set  security 
requirements  which  implement  agency  security  policies. 

Performance  level  training  provides  the  employee  with  the  skill  to  design,  execute,  or  evaluate 
agency  computer  security  procedures  and  practices.  The  objective  of  this  training  is  that  employees 
will  be  able  to  apply  security  concepts  while  performing  the  tasks  that  relate  to  their  particular 
positions.  It  may  require  education  in  basic  principles  and  training  in  state-of-the-art  applications. 
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TRAINING  MATRIX 


Training 
^Area 


Audience 
Category 


EXECUTIVES 


PRCXjRAM  & 
FUNCTIONAL 
MANAGERS 


IRM, 
SECURITY, 
AND 
AUDIT 


ADP 
MANAGEMENT 

AND 
OPERATIONS 


END 
USERS 


COMPUTER 

SECURITY 

BASICS 


SECURITY 
PLANNING 
& 

MGMT. 


COMPUTER 
SECURITY 
POLICY  & 
[PROCEDURES 


CONTIN- 
GENCY 
PLANNING 


SYSTEMS 
LIFE  CYCLE 
MGMT. 


KEY:  TRAINING  LEVEL 
AWARENESS 
POLICY 
IMPLEMENTATION 
PERFORMANCE 
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TRAINING  FRAMEWORK  FOR  EACH  AUDIENCE  CATEGORY 

The  following  pages  provide  an  outline  of  the  training  content,  or  subject  matter,  areas  and 
the  appropriate  skills  level  (e.g.,  Awareness,  Performance,  etc.),  recommended  for  each  of  the  five 
audience  categories. 
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A.      AUDIENCE  CATEGORY:  EXECUTIVES  (POLICY  MAKERS) 


AWARENESS  TRAINING 

Creates  the  sensitivity  to  the  threats  and  vulnerabilities 
of  computer  systems  and  the  recognition  of  the  need  to 
protect  data,  information,  and  the  means  of  processing 
them. 

POLICY  LEVEL  TRAINING 

Provides  the  ability  to  understand  computer  security 
principles  so  that  executives  can  make  informed  policy 
decisions  about  the  computer  security  program. 

1.0  Computer  Security  Basics  (Awareness  Level) 

1.1  Understanding  the  threats  to  and  vulnerabilities  of 

computer  systems. 

o         Definition  of  terms 

o        Major  categories  of  threats,  for  example: 
Unauthorized  accidental  or  intentional 
disclosure,  modification,  destruction, 
or  delay 

0        Threat  impact  areas 

0-        Common  examples  of  computer  abuse 

0        Examples  of  common  system  vulnerabilities 

1.2  Understanding  the  roles  of  various  organizational  units 

in  assuring  adequate  security  and  safety  of  information 
resources. 

0        Senior  Management  -  the  Policy  makers 

o        End  Users  and  Program  or  Functional  Managers 

0         Data  Processing  Organization 

0        IRM,  Security  and  Audit  Functions 

1.3  Understanding  the  basic  concepts  of  risk  management. 

o  Threat  and  vulnerability  assessment 

0  Cost/benefit  analysis  of  controls 

0  Implementation  of  cost-effective  controls 

o  Monitor  efficiency  and  effectiveness  of  controls 
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EXECUTIVES  (POLICY  MAKERS)  cont. 


2.0  Security  Planning  and  Management  (Policy  Level) 

2.1  Deciding  on  recommendations  to  organize  security 

program: 

0         Setting  security  policy 

0         Establishing  roles  and  delegating  authority 

0         Assigning  responsibility 

2.2  Deciding  on  recommendations  for  security  planning: 

0         Setting  security  goals  and  objectives: 

-  Level  of  security,  and  security  training 
requirements 

o        Establishing  auditing  and  monitoring  functions 

0         Authorizing  contingency  plans 

0        Providing  resources  to  meet  goals  and  objectives 

2.3  Deciding  on  recommendations  for  major  risk 

management  projects. 

o         Accepting  risk  as  part  of  doing  business 
0         Reducing  or  eliminating  risks  by  employing 
corrective  measures  or  modifying  operations 


3.0  Computer  Security  Policy  &  Procedures  (Awareness  Level) 

3.1  Understanding  the  need  for  policies,  procedures,  and 

guidance  for  protection  of  resources  in  various  areas: 

0  -  Data  and  information 

0  -  Physical 

0  -  Persormel 

0  -  Software 

0  -  Communications 

0  -  Administrative 

4.0  Contingency  Planning  (Awareness  Level) 

4.1  Understanding  the  basic  concepts  of  Contingency 
Planning. 

o        Why  contingency  planning  is  necessary 
o        Who  develops  the  plans 
0        The  difference  between  emergency  plans, 
backup  plans,  and  recovery  plans 
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EXECUTIVES  (POLICY  MAKERS)  cont. 


5.0  Systems  Life  Cycle  Management  (Awareness  Level) 

5.1  Understanding  the  basic  concepts  of  Systems  Life  Cycle 
Management. 

^  o         Addressing  security  and  internal  controls  during 

each  phase  of  automated  information  system  design: 

-  Initiation 

-  Development 

-  Implementation 

-  Certification 
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B,    AUDIENCE  CATEGORY:  PROGRAM/FUNCTIONAL  MANAGERS 


AWARENESS  TRAINING 

Creates  the  sensitivity  to  threats  and  vulnerabilities  of 
computer  systems  and  the  recognition  of  the  need  to  pro- 
tect data,  information,  and  the  means  of  processing  them. 

IMPLEMENTATION  LEVEL  TRAINING 

Provides  the  ability  to  recognize  and  assess  threats  and 
vulnerabilities  to  automated  information  resources  so  that 
they  can  set  security  requirements  which  implement  agency 
security  policies. 

PERFORMANCE  LEVEL  TRAINING 

Provides  the  employee  with  the  skill  or  ability  to  design, 
execute,  or  evaluate  agency  computer  security  procedures 
and  practices.  The  objective  of  this  training  is  that 
employees  will  be  able  to  apply  security  concepts  while 
performing  the  tasks  that  relate  to  their  particular 
positions.  It  may  require  education  in  basic  principles 
and  training  in  state-of-the-art  applications. 


1.0  Computer  Security  Basics  (Awareness  Level) 

1.1  Understanding  the  threats  to  and  vulnerabilities  of 
computer  systems 

0         Definition  of  temis 

o        Major  categories  of  threats,  for  example: 
Unauthorized  accidental  or  intentional 
disclosure,  modification,  destruction, 
or  delay 

0        Threat  impact  areas 

o         Common  examples  of  computer  abuse 

0        Examples  of  common  system  vulnerabilities 


1.2  Understanding  agency  policy  and  goals  for  protecting 
data  and  information 

o  Understanding  of  agency  computer  security  policies 
o         Understanding  of  agency  policy  on  employee 

accountability  for  agency  information 

resources 
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PROGRAM/FUNCTIONAL  MANAGERS  (cont.) 


1.3  Understanding  good  computer  security  practices  for: 

o  Protection  of  areas 

0  Protection  of  equipment 

0  Protection  of  passwords 

o  Protection  of  files,  data 

o  Protection  against  viruses,  worms,  etc. 

0  Backup  of  data  and  files 

0  Protection  of  magnetic  storage  media  which 

contain  sensitive  infomiation 

0  Reporting  security  violations 

1.4  Understanding  the  roles  of  various  organizational  units 

in  assuring  adequate  security  and  safety  of  information 
resources, 

0         Senior  Management  -  the  Policy  makers 

0         End  Users  and  Program  or  Functional  Managers 

0         Data  Processing  Organization 

0         ERM,  Security  and  Audit  Functions 

2.0  Security  Planning  and  Management  {Implementation  Level) 

2.1  ADP  Security  Planning 

0         Assigning  roles  and  responsibilities  for 
protection  of  data  which  they  manage 
0         Defining  data/systems  sensitivity  and  criticality 
0         Determining  security  requirements 
0         Determining  security  training  needs  for  employees 

who  have  access  to  data  and  processing  equipment 
0         Developing  and  recommending  contingency  planning 
requirements 

0         Preparing  security  plans  for  sensitive  systems 
0         Determining  and  requesting  resources  for 
security  requirements 

2.2  Risk  Analysis  Process 

0         Assessing  threats  and  vulnerabilities 

0        Performing  cost  analysis  of  recommended  controls 

0         Recommending  implementation  of  controls 
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PROGRAM/FUNCTIONAL  MANAGERS  (cont.) 


3.0  Security  Policies  and  Procedures  (Implementation  Level) 

3.1  Data  and  Information  Security 

o         Authorizing  access  to  data,  information,  and 
systems 

o        Establishing  audit  trails  of  records  of  program 
and  data  use,  and  reviews  for  irregularities 

0         Setting  data  quality  attributes  of  timeliness, 
accuracy,  completeness,  and  confidentiality 

0         Establishing  data  transmission  verification  and 
validation  procedures  for  data  communications 

0         Establishing  separation  of  duties  rules 

3.2  Personnel  Security  Policies 

0         Identifying  position  sensitivity 

o         Initiating  employee  screening  process 

0         Talcing  disciplinary  actions 

4.0  Contingency  Planning  (Performance  Level) 

4.1  Assuring  adequacy  of  contingency  plans  relating  to 
safety  and  availability  of  data  for  which 
functional  manager  has  primary  responsibility: 

0         Assigning  roles  and  responsibilities  for 

emergency,  backup,  and  recovery  procedures 

o         Coordinating  emergency  procedures  with  ADP, 
security,  and  audit  personnel 

0         Planning  and  evaluating  backup  procedures 

0         Planning  and  providing  support  in  recovery 
procedures 

5.0  Systems  Life  Cycle  Management  Processes  (Performance  Level) 

5.1  Participating  in  a  management  control  process  that  ensures  that 
appropriate  administrative,  physical,  and  technical  safeguards 
incorporated  into  all  new  applications  and  into  significant 
modifications  to  existing  applications: 

0         Evaluating  the  sensitivity  of  an  application 

based  upon  risk  analysis 
0         Determining  security  requirements  and 

specifications  for  acquisitions 
o         Evaluating  design  review  and  systems  test 

documents  to  ensure  required  safeguards 

are  operationally  adequate 
0         Participating  in  systems  certification  and 

accreditation  process 
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C.    AUDIENCE  CATEGORY:     IRM,  SECURITY,  AND  AUDIT  PERSONNEL 


AWARENESS  TRAINING 

Creates  a  sensitivity  to  the  threats  and  vulnerabilities  of  computer 
systems  and  a  recognition  of  the  need  to  protect  data,  information, 
and  the  means  of  processing  them. 


PERFORMANCE  LEVEL  TRAINING 

Provides  the  employee  with  the  skill  or  ability  to  design, 
execute,  or  evaluate  agency  computer  security  procedures 
and  practices.  The  objective  of  this  training  is  that 
employees  will  be  able  to  apply  security  concepts  while 
performing  the  tasks  that  relate  to  their  particular 
positions.  It  may  require  education  in  basic  principles 
and  training  in  state-of-the-art  applications. 


1.0  Computer  Security  Basics  (Awareness  Level) 

1.1  Understanding  the  threats  to  and  vulnerabilities  of 

computer  systems 

o         Definition  of  terais 

o  .       Major  categories  of  threats,  for  example: 
Unauthorized  accidental  or  intentional 
disclosure,  modification,  destruction, 
or  delay 

0        Threat  impact  areas 

0        Common  examples  of  computer  abuse 

o        Examples  of  common  system  vulnerabilities 

1.2  Understanding  good  computer  security  practices  for: 

o  Protection  of  areas 

0  Protection  of  equipment 

o  Protection  of  passwords 

0  Protection  of  files,  data 

0  Protection  against  viruses,  worms,  etc. 

0  Backup  of  data  and  files 

o  Protection  of  magnetic  storage  media  which 

contain  sensitive  information 

0  Reporting  security  violations 
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IRM,  SECURITY,  AND  AUDIT  PERSONNEL  (cont.) 


1.3  Understanding  the  roles  of  various  organizational  units 

in  assuring  adequate  security  and  safety  of  information 
resources 

o         Senior  Management  -  the  Policy  Makers 

0         End  Users  and  Program  or  Functional  Managers 

0        Data  Processing  Organization 

0        IRM,  Security  and  Audit  Functions 

1.4  Understanding  the  basic  concepts  of  risic  management 

0  Threat  and  vulnerability  assessment 

0  Cost/benefit  analysis  of  controls 

o  Implementation  of  cost-effective  controls 

o  Monitoring  efficiency  and  effectiveness  of  controls 

2.0  Security  Planning  and  Management  {Performance  Level) 


2.1  Security  Planning 

0        Developing  the  agency  computer  security  policy 

statement  for  executive  action 
o        Preparing  implementing  directives  and 

procedures  for  computer  security  policy 
0         Developing  a  computer  security  program  budget 
0        Evaluating  the  effectiveness  of  the  computer 

security  program 
o         Identifying  security  training  requirements 

for  managers,  operators,  and  users  of  agency 

computer  systems 


2.2  Risk  Analysis 

0         Assisting  in  identifying  the  roles  and 

responsibilities  of  all  the  players  in  the  risk 

analysis  process 
o        Integrating  vulnerability  assessments  required  by 

0MB  Circulars  A- 123  and  A- 130 
0         Coordinating  and  participating  in  risk  analysis 

studies 

0         Assisting  in  evaluating  risk  analysis  results 
0        Recommending  corrective  actions  to  ADP  and 
functional  managers 
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IRM,  SECURITY,  AND  AUDIT  PERSONNEL  (cont.) 


2.4  Audit  and  Monitoring 

0         Evaluating  the  effectiveness  of  computer 

security  programs 
0         Conducting  ADP  security  reviews 
0         Participating  in  verification,  validation, 

testing,  and  evaluation  processes 
0         Monitoring  ADP  systems  for  accuracy  and 

abnormalities 


3.0  Computer  Security  Policies  and  Procedures  {Performance  Level) 

3.1  Information  security 

o         Developing,  recommending,  or  performing  duties 
associated  with  the  formulation  and 
implementation  of  policies  and  procedures  for 
protecting  data  and  information  in  areas  of: 

-  access  authorization  and  authentication 

-  designation  of  sensitive  data  and  applications 

-  marking  of  sensitive  data 

-  accountability  for  sensitive  data 

-  safeguarding  and  storage  of  data 

-  reproduction  of  sensitive  data 

-  transmission  of  sensitive  data 

-  destruction  of  sensitive  data 

-  reporting  of  computer  misuse  or  abuse 


3.2  Physical  security 

o         Evaluating  and  recommending  physical  security 
measures  which  meet  the  objectives  of  the 
agency's  security  policies  in  areas  of: 

-  Building  construction 

-  Data  Processing  Centers 

-  Physical  access  control  systems 

-  Security  measures  for  stand-alone 

systems  and  remote  terminals 

-  Environmental  controls 

-  Fire  safety  controls 

-  Storage  area  controls 

-  Proper  housekeeping  procedures 
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IRM,  SECURITY,  AND  AUDIT  PERSONNEL  (cont.) 


3.3  Personnel  Security 

0         Developing,  recommending,  implementing,  or 
evaluating  personnel  security  practices  and 
procedures  which  support  the  agency's  security 
policies  for: 

-  Position  sensitivity 

-  Employee  screening  process 

-  Security  training  and  awareness 

3.4  Software  Security 

0         Developing,  recommending,  implementing,  or 
evaluating  agency  security  requirements  in  the 
developm.ent  of  agency  systems  and  applications 
software  and  configuration  management  systems 
for: 

-  Programming  standards  and  controls 

-  Documentation 

-  Change  controls 

-  Software  security  systems 

-  Audit  trails  and  logging 

-  Operating  systems  security  features 

3.5  Administrative  Security 

0        Monitoring  administrative  procedural  controls  in 
each  functional  area  where  data  and  information 
are  received,  processed,  stored,  and 
disseminated 

0  Providing  guidance  and  assisting  functional 
managers  in  preparation  of  security  plans, 
including: 

-  Investigation  of  security  breaches 

-  Reviewing  audit  trails  and  logs 

-  Reviewing  software  design  standards 

-  Reviewing  accountability  controls  in  the 

Data  Processing  and  functional  areas 
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IRM,  SECURITY,  AND  AUDIT  PERSONNEL  (cont.) 


3.6  Communications  Security 

0        Developing,  evaluating,  or  recommending 
communications  security  measures  for: 

-  Capabilities  and  limitations  of  various 

communications  systems 

-  Commercial  communications  protection  devices 

-  Cryptography 


4.0  Contingency  Planning  {Performance  Level) 

4.1  Providing  assistance  in  the  development,  coordination, 
testing,  evaluation  and  implementation  of  agency 
contingency  plans,  as  follows: 

0        Developing  agency  response  procedures 

o         Serving  as  a  team  member  in  responding  to  an 

emergency  situation 
0         Preparing  guidelines  for  determining 

critical  and  essential  workload 
0         Determining  backup  requirements 
0         Advising  and  assisting  in  development  of 

procedures  for  off-site  processing 
0        Advising  and  assisting  in  development  or 

implementation  of  plans  for  recovery  actions 

after  a  disruptive  event 


5.0  Systems  Life  Cycle  Management  (Performance  Level) 

5.1  Developing,  recommending,  implementing,  or  reviewing 
management  control  processes  that  ensure  that 
appropriate  administrative,  physical,  and  technical 
safeguards  are  incorporated  into  all  new  applications 
and  into  significant  modifications  to  existing 
applications: 

o         Assisting  in  evaluation  of  sensitivity  of  the 

application  based  upon  risk  analysis 
0         Assisting  functional  management  to  determine 

security  specifications 
0        Performing  or  assisting  in  design  review  and 

systems  test  to  ensure  required  safeguards  are 

operationally  adequate 
0        Performing  or  assisting  in  systems  certification 

and  accreditation  process 
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D.    AUDIENCE  CATEGORY:  ADP  MANAGEMENT,  OPERATIONS,  and 

PROGRAMMING  STAFF 


AWARENESS  TRAINING 

Creates  a  sensitivity  to  the  threats  and  vulnerabilities 
of  computer  systems  and  a  recognition  of  the  need  to 
protect  data,  information,  and  the  means  of  processing 
them. 


PERFORMANCE  LEVEL  TRAINING 

Provides  the  employee  with  the  skill  or  ability  to  design, 
execute,  or  evaluate  agency  computer  security  procedures 
and  practices.  The  objective  of  this  training  is  that 
employees  will  be  able  to  apply  security  concepts  while 
performing  the  tasks  that  relate  to  their  particular 
positions.  It  may  require  education  in  basic  principles 
and  training  in  state-of-the-art  applications. 


1.0  Computer  Security  Basics  {Awareness  Level) 

1.1  Understanding  the  threats  to  and  vulnerabilities  of 

computer  systems 

o         Definition  of  terms 

o        Major  categories  of  threats,  for  example: 
Unauthorized  accidental  or  intentional 
disclosure,  modification,  destruction, 
or  delay 

0        Threat  impact  areas 

o         Common  examples  of  computer  abuse 

0        Examples  of  common  system  vulnerabilities 

1.2  Understanding  good  computer  security  practices  for: 

0  Protection  of  areas 

o  Protection  of  equipment 

o  Protection  of  passwords 

o  Protection  of  files,  data 

o  Protection  against  viruses,  worms,  etc. 

o  Backup  of  data  and  files 

o  Protection  of  magnetic  storage  media  which 

contain  sensitive  information 

0  Reporting  security  violations 
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ADP  MANAGEMENT,  OPERATIONS,  and  PROGRAMMING  STAFF  (cont.) 


1.3  Understanding  the  roles  of  various  organizational  units 

in  assuring  adequate  security  and  safety  of  information 
resources 

0         Senior  Management  -  the  Policy  makers 

o        End  Users  and  Program  or  Functional  Managers 

o         Data  Processing  Organization 

0         IRM,  Security,  and  Audit  Functions 

1.4  Understanding  the  basic  concepts  of  risk  management 

o  Threat  and  vulnerability  assessment 

0  Cost/benefit  analysis  of  controls 

o  Implementation  of  cost-effective  controls 

o  Monitoring  efficiency  and  effectiveness  of  controls 


2.0  Security  Planning  and  Management  {Performance  Level) 

2.1  Establishing  a  security  organizational  structure  vyithin 

the  data  processing  environment  which  implements  the 
agency  security  program  objectives 


o         Defining  roles  and  responsibilities  for: 

-  Data  security  administrators 

-  Computer  security  officers 

0  .;      Interpreting  functional  management  security 
requirements  and  applying  state-of-the  art 
technology  in  selection  of  computer  security 
controls 

0         Preparing  a  computer  security  program  budget  for 

data  processing  operations 
0        Evaluating  effectiveness  of  the  computer  security 

program  within  data  processing  area 
0         Identifying  security  training  requirements  for 

data  processing  personnel 


2.2  Risk  Analysis 


o         Coordinating  and  assisting  in  risk  analysis 
studies 

0        Evaluating  risk  analysis  results 

0        Recommending  and  implementing  corrective  actions 

to  deficiencies  identified  during  risk  analysis 

studies 
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ADP  MANAGEMENT,  OPERATIONS,  and  PROGRAMMING  STAFF  (cont.) 


2.3  Audit  and  Monitoring 

o         Conducting  ADP  security  reviews 

0         Coordinating  and  assisting  in  the  verification, 

validation,  testing,  and  evaluation  process  for 

new  or  revised  systems 
0         Assisting  in  regular  reviews  of  ADP  systems  for 

accuracy  and  abnormalities 
0        Maintaining  and  regularly  reviewing  both  automated 

and  manual  logs  of: 

-  equipment  malfunction 

-  program  aborts 

-  magnetic  storage  media  activity 

-  program  library  changes 

-  production  scheduling  and  processing 

-  input/output  activity 

-  physical  access  to  data  processing  areas 

-  remote  access  to  computer  systems 

-  security  logs  citing  security  breaches,  e.g., 

unauthorized  access  attempt 

3.0  Computer  Security  Policies  and  Procedures  {Performance  Level) 

3.1  Information  security 

o         Developing,  recommending,  or  performing  duties 

associated  with  the  formulation  and  implementation 
of  policies  and  procedures  for  protecting  data  and 
information  in  areas  of: 

-  access  authorization  and  authentication 

-  marking  of  sensitive  data 

-  accoimtability  for  sensitive  data 

-  safeguarding  and  storage  of  data 

-  reproduction  of  sensitive  data 

-  transmission  of  sensitive  data 

-  destruction  of  sensitive  data 

-  reporting  of  computer  misuse  or  abuse 
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ADP  MANAGEMENT,  OPERATIONS,  and  PROGRAMMING  STAFF  (cont.) 


3.2  Physical  security 

o         Implementing  physical  security  measures  within  the 
data  processing  environment  which  meet  the 
objectives  of  the  agency's  security  policy  for: 

-  Physical  access  control  systems 

-  Security  measures  for  stand-alone 

systems  and  remote  terminals 

-  Environmental  controls 

-  Fire  safety  controls 

-  Storage  area  controls 

-  Proper  housekeeping  procedures 

3.3  Personnel  Security 

o         Developing,  recommending,  implementing, 

evaluating,  or  supervising  personnel  security 
practices  which  support  the  agency's  security 
policy  for: 

-  Position  sensitivity 

-  Employee  screening  process 

-  Security  training  and  awareness 

-  Recognizing  and  reporting  suspected 

computer  abuse  by  employees 

3.4  Software  Security 

o         Developing,  implementing,  evaluating,  and 

monitoring  the  agency  security  requirements  in 
the  development  and  implementation  of  systems 
and  applications  software  and  configuration 
management  systems. 

-  Programming  standards  and  controls 

-  Documentation 

-  Change  controls 

-  Software  security  systems 

-  Audit  trails  and  logging 

-  Operating  systems  security  features 

-  System  test  and  evaluation  process 
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ADP  MANAGEMENT,  OPERATIONS,  and  PROGRAMMING  STAFF  (cont.) 


3.5  Administrative  Security 

o         Monitoring  administrative  and  procedural  controls 

in  each  functional  area  where  data  and  information 
are  received,  processed,  stored,  and  disseminated, 
for  example: 

-  Investigating  security  breaches 

-  Reviewing  audit  trails  and  logs 

-  Reviewing  software  design  standards 

-  Reviewing  and  testing  of  new  or  revised 

application  programs 

-  Reviewing  accountability  controls  in  the 

Data  Processing  and  functional  areas 

3.6  Communications  Security 

0         Developing,  implementing,  evaluating,  or 

recommending  communication  security  measures 
in  areas  of: 

-  Capabilities  and  limitations  of  various 

communications  systems 

-  Commercial  communications  protection  devices 

-  Cryptography 

4.0  Contingency  Planning  (Performance  Level) 

4.1  Providing  assistance  and  coordinating  the  development, 
testing,  and  implementation  of  agency  contingency 
plans: 

0         Developing  agency  emergency  response  procedures 

to  reduce  the  probability  of  a  disaster 

through  effective  damage  control 
o         Assuming  the  leading  role  in  development  of  the 

agency  contingency  plan 
0         Identifying  and  determining  cost  justification  of 

recovery  altematives  available  to  management 
o        Preparing  a  plan  for  assignment  of  resources  and 

responsibilities  backing  up  the  processing  of 

the  critical  workload 
o         Advising  and  assisting  functional  management  in 

contingency  planning 
0         Developing,  maintaining,  and  executing  disaster 

recovery  plans  for  resumption  of  processing 

after  a  disruptive  event 
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ADP  MANAGEMENT,  OPERATIONS,  and  PROGRAMMING  STAFF  (cont.) 


5.0  Systems  Life  Cycle  Management  {Performance  Level) 

5.1  Participating  in  a  management  control  process  that 

ensures  that  appropriate  administrative,  physical,  and 
technical  safeguards  are  incorporated  into  all  new 
applications  and  into  significant  modifications  to 
existing  applications: 

0        Assisting  in  evaluating  sensitivity  of  the 

application  based  upon  risk  analysis 
0         Assisting  functional  management  in  detemiining 

security  specifications 
o         Performing  or  assisting  in  design  review  and 

systems  test  to  ensure  required  safeguards  are 

operationally  adequate 
o        Performing  or  assisting  in  systems  certification 

and  accreditation  process 
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E.    AUDIENCE  CATEGORY:    END  USERS 


AWARENESS  TRAINING 

Creates  the  sensitivity  to  the  threats  and 
vulnerabilities  of  computer  systems  and  provides 
information  on  agency  policy  for  protecting  data, 
information,  and  the  means  of  processing  them. 


PERFORMANCE  LEVEL  TRAINING 


Provides  the  employee  with  the  skill  or  ability  to  design, 
execute,  or  evaluate  agency  computer  security  procedures 
and  practices.  The  objective  of  this  training  is  that 
employees  will  be  able  to  apply  security  concepts  while 
performing  the  tasks  that  relate  to  their  particular 
positions.  It  may  require  education  in  basic  principles 
and  training  in  state-of-the-art  applications. 


1.0  Computer  Security  Basics  {Awareness  Level) 

1.1  Understanding  the  threats  to  and  vulnerabilities  of 
computer  systems 

o         Definition  of  terms 

0         Major  categories  of  threats,  for  example: 
Unauthorized  accidental  or  intentional 
disclosure,  modification,  destruction, 
or  delay 

0        Threat  impact  areas 

o         Common  examples  of  computer  abuse 

0        Examples  of  common  system  vulnerabilities 


1.2  Understanding  agency  policy  and  goals  for  protecting 
data  and  information 

0  Understanding  of  agency  computer  security  policies 
o         Understanding  of  agency  policy  on  employee 

accountability  for  agency  information 

resources 


25 


END  USERS  (cont.) 

1.3  Understanding  good  computer  security  practices  for: 


0 

Protection  of  areas 

0 

Protection  of  equipment 

0 

Protection  of  passwords 

0 

Protection  of  files,  data 

0 

Protection  against  viruses,  worms,  etc. 

0 

Backup  of  data  and  files 

0 

Protecuon  of  magnetic  storage  media  which 

contain  sensitive  information 

0 

Reporting  security  violadons 

2.0       Security  Planning  and  Management  (Awareness  Level) 

2.1  Understanding  the  roles  of  various  organizational  units 

in  assuring  adequate  security  and  safety  of  information 
resources 

0         Senior  Management  -  the  Policy  makers 

G         End  Users  and  Program  or  Functional  Managers 

0         Data  Processing  Organizafion 

0         IRM,  Security,  and  Audit  Functions 

2.2  Understanding  the  basic  concepts  of  risk 

management 

0        Threat  and  vulnerability  assessment 

0         Cost  benefit  analysis  of  controls 

0        Implementation  of  cost  effective  controls 

0        Monitor  efficiency  and  effectiveness  of  controls 

3.0  Computer  Security  Policies  and  Procedures  (Performance  Level) 

3.1  Following  agency  administrative  procedures  for 
protection  of  sensitive  data 


0 

Designation  of  sensitive  data,  applications  and 

systems 

0 

Marking  of  sensitive  data 

0 

Accountability  for  sensitive  data 

0 

Reproduction  of  sensitive  data 

0 

Transmission  of  sensitive  data 

0 

Destruction  of  sensitive  data 

0 

Disclosure  of  sensitive  data 

0 

Reporting  computer  abuse 
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END  USERS  (cont.) 


3.2  Following  agency  procedures  for  physical  security 

measures  employed  to  protect  data  and  information: 

o  Access  controls 

0  Fire  prevention  and  protection  measures 

o  Proper  housekeeping  procedures 

o  Remote  terminal  protection  devices 

0  Cryptography  device  protection 


4.0  Contingency  Planning  {Performance  Levet) 


4.1  Following  agency  emergency  procedures  by  implementing 
the  following: 

0         Identifying  critical  workload 
0         Scheduling  for  backup  of  critical  data 
o        Storing  and  protecting  backup  files/data 
0        Periodically  testing  with  backup  files 


4.3  Implementing  or  assisting  in  implementation  of 
agency  recovery  procedures: 

o        Woric  scheduling 

0        Reconstruction  of  data  bases 


5.0  Systems  Life  Cycle  Management  {Awareness  Levet) 


5.1  Understanding  the  basic  concepts  of  Systems  Life  Cycle 
Management 

o         Addressing  security  and  intemal  controls  during 

each  phase  of  automated  information  system  design: 

-  Initiation 

-  Development 

-  Implementation 

-  Certification 
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